Skip to main content
Finding Gozi: An Italian Malspam Infection operation cover
COMING SOONIntermediatePRO

Finding Gozi: An Italian Malspam Infection

An accounts clerk at an Italian textile firm clicked an overdue-invoice link, downloaded a ZIP, and opened an Internet shortcut that reached out over SMB to pull a second-stage loader. PowerShell and rundll32 ran the Gozi banking trojan, and the workstation began beaconing to a rotating list of bare IP-literal hosts over plain HTTP. Trace the chain from a link-based lure through an SMB stage-2 fetch to the single command-and-control endpoint the trojan settled on, where it also shipped the stolen data.

50m
6 tasks
50 points
Pro

Launches today

Jul 3, 2026

Friday, July 3, 2026 at 9:00 AM

View Pro plans

Pro unlocks this operation at launch.

Training Tools

SIEMFirewall

What you'll investigate

6 objectives unlock when this operation goes live.

1Triage the morning alert
2Trace the delivery
3Follow the shortcut off the network
4Recover the second stage
5Pin the C2 beacon
6Classify the execution proxy

Be first when it launches

Create your account and grab Pro before launch. The moment this operation goes live on Jul 3, 2026, you can jump straight in.

Get Started Free

No credit card required — free forever